Week 49 – 2017

FORENSIC ANALYSIS

THREAT INTELLIGENCE/HUNTING

UPCOMING WEBINARS/CONFERENCES

  • Matt McFadden at OpenText will be hosting a webinar regarding how examiners can utilise Encase to assist in analysing digital devices in child exploitation cases. The webinar will take place on Tuesday, December 12, 2017, at 11am PDT.
    Webinar: Fighting Child Exploitation with Digital Forensics

  • John LaCour at PhishLabs will be hosting a webinar on phishing and threat monitoring. The webinar will take place on Thursday, December 14, 2017, at 11:00 am – 12:00 pm EST.
    Phishing Threat Monitoring & Forensics Webinar

  • “The 11th Annual Digital Forensics and Incident Response Summit Call for Presentations is now open through 5 pm EST on Monday, January 15, 2018.” Hopefully, I can get my act together and put my presentation idea so I get to attend again next year.
    SANS DFIR Summit 2018 CFP

PRESENTATIONS/PODCASTS

MALWARE

MISCELLANEOUS

  • Xavier Mertens provided an overview of the recent Botconf 2017 conference.
  • Eric Huber has started up his “A Fistful of Dongles” blog again; Eric also used to be a regular appearance on the Forensic 4Cast podcast. His first post was his take on Blockchains and cryptocurrencies.
    Back In The Saddle Again

  • Brian Carrier has a post about the recent update to Autopsy that introduced the correlation engine module and backend database. The post explains how to setup the module, populate the database, and identify connections between cases.
    Correlate Cases and Get Intelligence

  • Brett Shavers shares “a short video on how you can use XWF to collect data in a given eDiscovery matter”. He also has uploaded a new case study and promotional offer.
    X-Ways Forensics & eDiscovery

  • Chris Sanders shared week 4’s notes on the Cuckoo’s Egg which covers chapters 15-23.
    Cuckoo’s Egg – Week 4 Notes

  • Doctor Cotton has started a new blog aiming to document his journey into DFIR. His first post describes the hardware that he’s purchased for his testing environment.
    Building a Lab Pt.1 Hardware

  • John Ahearne at DriveSavers has a post on the analysis step in the digital forensics process. This covers a variety of topics including scoping, choosing tools, and the importance of accuracy and repeatability.
    Digital Forensic Process—Analysis

  • Robert Merriott at Forensic Notes released three articles this week
    • The first is an interview with Stuart Rudner, an Employment Lawyer and Mediator, regarding contemporaneous notes.
      Contemporaneous Notes
    • The second presents the recommendations from various organisations about the need to take contemporaneous notes during a computer examination.
      Digital Forensics Documentation – Contemporaneous Notes Required
    • The last is an explanation of ISO 17025 which became “a mandatory standard for Digital Forensics laboratories in the United Kingdom (UK) as of October 2017”. There was also a brief discussion about the topic on Twitter. I’m interested to see how things work in the UK; if accreditation means each lab has to conduct its own evaluation of every update to every tool that they use then they either won’t get any work done, or they will use old versions of tools. The article mentions that rates may have to go up, which may restrict the barrier to entry for small labs, and also reduce operating budgets of government labs (which probably won’t win the argument to increase their budget to cover the additional spending). I like the idea of setting a standard to work towards, and I’m also slightly worried that the standard may not get updated as quickly as technology changes. There was a recent discussion on Forensic Focus where a member stated that they were unable to make any changes to evidence without prior approval by the court. This may have been fine 20 years ago, but if someone receives an iOS device a) there’s no way they can prevent it from making changes on its own, b) examining the device makes changes, and c) getting approval per device per case will most likely take longer than the window that you’ve got to unlock the device with a pairing record. Brett’s correct that it is the wild wild west at the moment, and it seems that the court’s decision about who and who isn’t an expert is key; it looks like an organisation, or all of them, will need to come up with a realistic standard for all labs to produce good quality work.
      ISO 17025 – Right for Digital Forensics?

  • Bradley Schatz at Inside Out advises that both Forensic Explorer and X-Ways Forensics 19.5 now have AFF4 support. Something on my to-do list is to create some E01 and AFF4 images and compare the speeds. Hopefully, I can get my act together and do it.
    Native AFF4 read support for X-Ways & Forensic Explorer

  • Kevin DeLong started a brief discussion about “biggest challenge in investigations [in] the near future”
    Check out @kevindelong’s Tweet

  • MSAB announced a partnership with Kovar & Associates “to expand the drone forensics capabilities offered by MSAB.”
    MSAB and Kovar & Associates Agree to Partner on Drone Forensics Work

  • Jasper at Packet Foo provided a recap of Sharkfest 2017 EU which was recently held in Portugal.
    Sharkfest 2017 EU Recap

  • Richard Bejtlich at Tao Security provides some guidance on things people can learn to augment their network security monitoring education.
    On “Advanced” Network Security Monitoring

  • Teel Technologies have launched a case management system called xBit.
    xBit Digital Case Management

  • Howard Oakley at ‘The Eclectic Light Company’ takes a look at Extended Attributes on High Sierra and lists out the ones that he’s found interesting.
    Extended attributes in High Sierra 10.13.2

  • A couple of the project teams run by the students at The Leahy Center for Digital Investigation provided updates on their projects
  • Charlie at ‘The Supreme Perception’ has compiled a list of cyber security and DFIR interview questions. The DFIR questions lend themselves more towards the IR side of the fence.
    Cyber Security and DFIR Interview Questions

SOFTWARE UPDATES

And that’s all for Week 49! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s